Safebrowsing silently fail on large URL (parameters)
Categories
(Toolkit :: Safe Browsing, defect, P3)
Tracking
()
People
(Reporter: grin, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Steps to reproduce:
I was trying to report a fake webmail phishing site using "Help >> Report Deceptive ..." menu entry.
Actual results:
Absolutely nothing have happened. The user gets no response or feedback.
Looking at the web console it shows that there was a GET request to whatever-malware-reporting.mozilla.com with no response whatsoever.
The specific problem was that the phisher used an extremely long URL (https://example.com/this/that?email=this&code=that#long_random_stuff) and it was probably beyond the size google API accepts, probably gave error to mozilla.com and it choked on the response, and dropped the connection. The user waits forever.
I believe that WHEN an URL is too long then
- first everything shall be removed after the "#" in the parameters
- then everything removed after the "?"
and the result shall be reportable size.
Expected results:
It should have reirect to google's safebrowsing and fill the URL.
The user should not have manually edit the URL, go to google and paste it manually.
Comment 1•4 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Toolkit::Safe Browsing' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Comment 2•4 years ago
|
||
Hey Peter,
I tried reproducing this issue on the latest versions of Firefox Nightly 89.0a1 (2021-04-13), beta 88 and release 87.0 but the report option work fine.
Can you test the issue while in Safe Mode? You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode .
Also a fresh new profile could help. You can find more about creating a new profile here : https://support.mozilla.org/en-US/kb/troubleshoot-and-diagnose-firefox-problems#w_6-create-a-new-firefox-profile .
If possible, you can test this issue on the nightly build as well. Download the build from : https://www.mozilla.org/en-US/firefox/nightly/all/ .
Reporter | ||
Comment 3•3 years ago
|
||
(In reply to Andrei Purice from comment #2)
Based on the nature of the issue it's not really simple to reproduce since it needs both a very long but real phishing URL (since I have to report it to google), an error from google api and the bad response handling from Firefox.
I would have suggested to take a look at the part of the code handling responses and if it looks okay, handling both timeout and error response then you can close this issue; if it's not handled then it should.
The problem looks pretty independent of the specifics, it's rather about error response handling in the mentioned code paths.
If you can't check it you can keep or close it, I can't quite help with test cases, sorry. :-(
Updated•3 years ago
|
Description
•